Ads displaying as code when all scripts are allowed

Ask for help about NoScript, no registration needed to post
Bush Hayvers

Ads displaying as code when all scripts are allowed

Post by Bush Hayvers » Thu Dec 11, 2014 12:28 am

I have NoScript 2.6.9.6 installed on Firefox 34.0 and it is stopping adverts from loading on http://superbestfriendsplay.com despite being set to allow everything on the page, and the page itself being in the whitelist. They display like this http://i.imgur.com/eutzTZg.jpg instead. This has only started happening in the last few days. Disabling NoScript entirely brings the adverts back, so I know it isn't AdBlock Plus etc. As far as I can see this is the only site this is happening on.

I'd like to support the guys behind that site, so any help would be much appreciated.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0

barbaz
Senior Member
Posts: 9584
Joined: Sat Aug 03, 2013 5:45 pm

Re: Ads displaying as code when all scripts are allowed

Post by barbaz » Thu Dec 11, 2014 5:58 am

Confirmed.

Well, I am seeing a lot of XSS messages saying something about sanitised window.name, and a few messages that are nothing but a URL followed by "about:blank"?
Don't know how to get around it (or if doing so would actually let a malicious threat in), sorry.

The actual console output is way way *way* **way** too long to post here - 344KB total!! - so I've uploaded it to [x].
Last edited by barbaz on Fri Jan 30, 2015 3:51 am, edited 1 time in total.
Reason: remove dead link
*Always* check the changelogs BEFORE updating that important software!
Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Ads displaying as code when all scripts are allowed

Post by Thrawn » Fri Dec 12, 2014 12:44 am

That's weird, it looks like NoScript is saying that someone is putting an entire HTML page into window.name.

Maybe it is this insanity? If so, then please leave it blocked for your own safety.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0

barbaz
Senior Member
Posts: 9584
Joined: Sat Aug 03, 2013 5:45 pm

Re: Ads displaying as code when all scripts are allowed

Post by barbaz » Thu Jan 29, 2015 8:34 pm

barbaz wrote:The actual console output is way way *way* **way** too long to post here - 344KB total!! - so I've uploaded it to

Is there any point to keep that up anymore?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; NetBSD i386; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Ads displaying as code when all scripts are allowed

Post by Thrawn » Fri Jan 30, 2015 3:28 am

A snippet should do:

Code: Select all

[NoScript XSS]: sanitized window.name, "1-0-1;87172;<!doctype html><html><head><style><!--
a:link { color: #ffffff }a:visited { color: #ffffff }a:hover { color: #ffffff }a:active { color: #ffffff }  --></style><script><!--
(function(){var d=this,f=function(a){var b=typeof a;if("object"==b)if(a){if(a instanceof Array)return"array";if(a instanceof Object)return b;var c=Object.prototype.toString.call(a);if("[object Window]"==c)return"object";if("[object Array]"==c||"number"==typeof a.length&&"undefined"!=typeof a.splice&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("splice"))return"array";if("[object Function]"==c||"undefined"!=typeof a.call&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("call"))return"function"}else return"null";else if("function"==b&&"undefined"==typeof a.call)return"object";return b};var g;e:{var h=d.navigator;if(h){var k=h.userAgent;if(k){g=k;break e}}g=""};var l=-1!=g.indexOf("Opera")||-1!=g.indexOf("OPR"),n=-1!=g.indexOf("Trident")||-1!=g.indexOf("MSIE"),p=-1!=g.indexOf("Gecko")&&-1==g.toLowerCase().indexOf("webkit")&&!(-1!=g.indexOf("Trident")||-1!=g.indexOf("MSIE")),q=-1!=g.toLowerCase().indexOf("webkit");(function(){var a="",b;if(l&&d.opera)return a=d.opera.version,"function"==f(a)?a():a;p?b=/rv\:([^\);]+)(\)|;)/:n?b=/\b(?:MSIE|rv)[: ]([^\);]+)(\)|;)/:q&&(b=/WebKit\/(\S+)/);b&&(a=(a=b.exec(g))?a[1]:"");return n&&(b=(b=d.document)?b.documentMode:void 0,b>parseFloat(a))?String(b):a})();var r={};window.ss=function(a){void 0!==r[a]?r[a]++:r[a]=1;var b=document.getElementById(a),c=r[a];if(window.css)css(a,"nm",c,void 0,void 0);else if(b){a=b.href;var e=a.indexOf("&nm=");if(0>e)c=a+"&nm="+c;else var e=e+4,m=a.indexOf("&",e),c=0<=m?a.substring(0,e)+c+a.substring(m):a.substring(0,e)+c;b.href=2E3<c.length?a:c}};})();function su(id) {var a = document.getElementById(id);var b = (new Date()).getTime();if (a && a.myt && b) {var t = b - a.myt;if (window.css) {css(id,'clkt',t);return;}var bi = a.href.indexOf("&clkt=");if (bi > 0) {var c = a.href.substring(0, bi+6); var d = a.href.substring(bi+6, a.href.length);var ei = d.indexOf("&");var r = '';if (ei >= 0)r = d.substring(ei, d.length);a.href = c + t + r; } else {a.href += "&clkt=" + t;}}}(function(){var d=this,g=function(a){var b=typeof a;if("object"==b)if(a){if(a instanceof Array)return"array";if(a instanceof Object)return b;var c=Object.prototype.toString.call(a);if("[object Window]"==c)return"object";if("[object Array]"==c||"number"==typeof a.length&&"undefined"!=typeof a.splice&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("splice"))return"array";if("[object Function]"==c||"undefined"!=typeof a.call&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("call"))return"function"}else return"null";else ...
URL: http://tpc.googlesyndication.com/safeframe/1-0-1/html/container.html#xpc=sf-gdn-exp-2&p=http%3A//superbestfriendsplay.com

http://tpc.googlesyndication.com/safeframe/1-0-1/html/container.html#xpc=sf-gdn-exp-2&p=http%3A//superbestfriendsplay.com
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0

Post Reply